Hashicorp Vault - Unable to Update Expired Secret of Azure App Registration

I’m trying to update an expired Secret of an Azure App Registration that is linked to Azure Key Vault, and plan to generate a root token for this operation since I am unable to login via OIDC.

I’ve tried this guide “Generate Root Tokens Using Unseal Keys” which generates the root token using Shamir’s Secret Sharing.

The final user during the root token generation is getting this error msg

* root generation aborted: unable to authenticate: recovery key verification failed: failed to decrypt encrypted stored keys: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://<redacted azure key vault endpoint>: StatusCode=401 -- Original Error: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys for app '<redacted>' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security...

How am I supposed to update the expired secret without Hashicorp Vault having to talk to Azure Key Vault?

Do you mean that your Vault is using auto-unseal with Azure and that key has been lost?

Hi the root token you mean? I am trying to generate the root token using Shamir’s Shared Secret method with the quorum of unseal keys, however this is not working as the final user gets the error message as shown in my original message.

Based on the error you have posted, I think the credentials you need to replace might actually be located in the Vault server configuration file:

You need to update them there, using a text editor, rather than via the Vault API.

It is possible, that after you have updated those credentials, which are used for the Vault seal encryption, you might also need to update other Azure credentials that are used to support the OIDC auth method - those credentials would need to be updated via the Vault API, so you might need to proceed with the root token generation after updating the seal credentials. The important concept to bear in mind, is that if you use Azure integration for multiple distinct subsystems within Vault, there might be multiple places where the credentials need to be updated.

Separately to that, please note that as you appear to be using Azure Key Vault auto-unseal, you don’t actually have a quorum of unseal keys.

When Vault is using the default Shamir seal, the unseal keys play double duty:

  • Allowing unseal
  • Authenticating that a quorum of human administrators authorize a special recovery action (such as root token generation)

But when you use an auto-unseal method, the auto-unseal device takes control of allowing unseal, and instead you have a quorum of recovery keys - which behave a lot like unseal keys, but which are not sufficient to unseal Vault and only function to authenticate a quorum of human administrators.

You’re right I found the client secret in the vault-config ConfigMap which I updated, then restarted the StatefulSet, made sure that the containers could see the updated client secret, however still getting the same error?

Also I have an expired client secret for OIDC Auth which I need updating, I presume this is stored somwhere else and need to be updated via the API?